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Abstract 

We  give  a  semantically  based  axiomatic  treatment  of  partial  correctness  and  deadlock  for  an  im¬ 
perative  shared  variable  parallel  programming  language.  The  Owicki-Gries  proof  methodology  for 
this  language  proves  conventional  Hoare-style  partial  correctness  assertions  and  involves  the  no¬ 
tion  of  interference- freedom  of  proofs  (to  guarantee  soundness),  auxiliary  variables  (to  guarantee 
relative  completeness),  and  global  invariants  (to  permit  reasoning  about  deadlock-freedom).  Our 
axiomatic  proof  system  is  based  more  explicitly  on  the  underlying  operational  semantics,  using 
assertions  whose  syntactic  structure  directly  reflects  the  operational  behavior  of  parallel  programs 
at  an  appropriate  level  of  abstraction.  We  build  a  proof  system  that  requires  neither  interference- 
freedom  nor  auxiliary  variables.  Novel  features  include  the  use  of  a  syntactic  form  of  parallel 
composition  of  assertions,  and  the  use  of  conjunction  and  implication  as  connectives  on  assertions. 
It  is  possible  simultaneously  to  reason  about  partial  correctness  and  deadlock-freedom  using  our 
proof  system,  without  recourse  to  global  invariants.  We  discuss  some  nou-trivial  examples,  and 
compare  our  proof  methodology  with  some  other  proof  methods  from  the  literature. 
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1  Introduction 


It  has  become  widely  accepted  since  Hoare’s  classic  paper  [Hoa69]  that  formal  reasoning  about 
program  correctness  properties  is  desirable.  Hoare  treated  partial  correctness  properties  of  com¬ 
mands  in  a  sequential  imperative  programming  language,  using  simple  assertions  based  on  pre- 
and  post-conditions.  The  proof  system  was  syntax-directed,  in  that  axioms  or  rules  were  given  for 
each  syntactic  construct;  each  inference  rule  allows  the  deduction  of  a  partial  correctness  property 
of  a  command  from  premisses  which  are  partial  correctness  properties  of  its  immediate  syntactic 
sub-commands.  The  partial  correctness  assertions  (pea’s)  chosen  by  Hoare  are  admirably  suited 
to  the  task:  they  are  concise  in  structure  and  have  a  clear  correlation  with  a  state  transformation 
semantics  for  the  programming  language.  This  means  that  fairly  straightforward  proofs  of  the 
soundness  and  (relative)  completeness  of  Hoare’s  proof  system  can  be  given  [AptSl,  Coo78]. 

For  more  complicated  programming  languages  the  story  is  not  so  simple.  Several  proposed 
axiomatic  treatments  of  programming  languages  have  turned  out  to  be  either  unsound  or  incom¬ 
plete  [OD82].  The  task  of  establishing  soundness  and  completeness  of  proof  systems  for  program 
properties  can  be  complicated  by  an  excessive  amount  of  detail  used  in  the  semantic  description 
of  the  programming  language.  This  point  seems  to  be  quite  well  known,  and  is  made,  for  instance 
in  [Apt81].  Similar  problems  can  be  caused  by  the  use  of  an  excessively  intricate  or  poorly  struc¬ 
tured  assertion  language,  or  by  overly  complicated  proof  rules.  Certainly  for  sequential  languages 
with  state-transformation  semantics  the  usual  Hoare-style  assertions  with  pre-  and  post-conditions 
are  suitable.  But  for  languages  which  require  more  sophisticated  semantic  treatment  we  believe 
that  it  is  inappropriate  to  try  to  force  assertions  to  fit  into  the  pre-  and  post-condition  mould; 
such  an  attempt  tends  to  lead  to  pre-  and  post-conditions  with  a  rather  complex  structure,  when 
it  could  be  simpler  to  use  a  class  of  assertions  with  a  different  structure  which  more  accurately 
corresponds  to  the  semantics.  The  potential  benefits  of  basing  an  axiomatic  treatment  directly  on 
a  well  chosen  semantics  has  been  argued,  for  instance,  in  [Bro85],  where  an  axiomatic  treatment 
of  alicising  was  given.  We  believe  that  implicit  in  the  design  of  Hoare’s  logic  was  the  idea  that  the 
semantic  structure  of  a  language  should  determine  the  choice  of  assertion  language  for  specifying 
program  properties.  It  is  this  idea,  rather  than  the  use  of  assertions  built  from  a  pre-condition  and 
a  post-condition,  that  should  form  the  basis  for  generalization  when  we  axiomatize  more  complex 
programming  languages.  In  this  paper  we  take  such  an  approach  for  a  simple  imperative  parallel 
programming  language. 

Parallel  programming  languages  certainly  require  a  more  sophisticated  semantic  model  than 
sequential  languages.  Proof  systems  for  reasoning  about  various  forms  of  parallelism  have  been 
proposed  by  several  authors,  notably  [AFdRSO,  Ash75,  BKP84,  Ger83,  Kel76,  Lam80,  LS84,  LG81, 
MP82,  OG76].  Owicki  and  Gries  [OG76]  gave  a  Hoare-style  axiom  system  for  a  programming  lan¬ 
guage  in  which  parallel  commands  can  interact  through  their  effects  on  shared  variables.  Their 
proof  rule  for  parallel  composition  involved  a  notion  of  interference-freedom  and  used  proof  outlines 
as  premisses.  In  order  to  obtain  a  (relatively)  complete  proof  system  Owicki  found  it  necessary  to 
use  auxiliary  variables  and  to  add  proof  rules  for  dealing  with  them.  These  features  have  been  the 
subject  of  considerable  discussion  in  the  literature,  such  as  [Bes82,  Lam80].  Some  alternative  proof 
systems,  such  as  those  of  Lamport  and  Schneider  [LS84]  and  the  transition  logic  of  Gerth  [Ger83], 
employ  essentially  the  same  syntactic  structure  for  assertions  (again  pea’s)  but  modify  the  inter¬ 
pretation  given  to  assertions.  All  of  these  approaches  attempt  to  maintain  at  least  a  syntactic 
similarity  of  structure  with  Hoare’s  pea’s.  Most  of  the  proof  systems  which  have  emerged  so  far 
have  followed  Owicki  in  imposing  some  form  of  interference-freedom  condition  as  a  constraint  on 
the  rule  for  parallel  composition.  Most  of  these  axiomatizations  have  been  designed  with  par- 
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tial  correctness  in  mind,  and  in  cases  where  it  is  possible  to  adapt  the  proof  system  to  deduce 
deadlock-freedom  properties  this  is  typically  done  by  means  of  global  invariants. 

In  this  paper  we  present  an  alternative  axiomatization  based  directly  on  a  structural  operational 
semantics  [PI08I],  essentially  as  given  by  Hennessy  and  Plotkin  [HP79].  In  view  of  the  congruence 
established  in  [HP79]  between  this  operational  semantics  and  a  denotational  semantics  based  on  a 
powerdomain  of  resumptions,  our  axiomatization  can  also  be  thought  of  as  built  on  a  resumption 
semantics.  We  define  syntactic  operations  on  assertions  which  correspond  to  the  semantics  of 
the  various  syntactic  constructs  in  the  programming  language;  in  particular,  we  define  sequential 
and  parallel  composition  for  assertions.  This  leads  naturally  to  compositional,  or  syntax-directed, 
proof  rules  for  the  syntactic  constructs.  We  do  not  need  an  interference-freedom  condition  in 
our  rule  for  parallel  composition,  in  contrast  to  Owicki’s  system.  Similarly,  we  do  not  need  an 
auxiliary  variables  rule.  We  show  how  to  re-construct  Owicki’s  rule  for  parallel  composition  with 
its  interference-freedom  condition,  using  our  methods.  Essentially,  Owicki’s  system  uses  a  restricted 
subset  of  our  assertions  and  a  variant  form  of  parallel  composition  of  assertions. 

We  apply  our  proof  methodology  to  some  non-trivial  parallel  programming  examples  from 
the  literature,  including  Peterson’s  algorithm,  a  producer-consumer  program,  and  the  problem  of 
partitioning  a  set.  We  further  compare  our  work  briefly  with  that  of  some  other  authors,  discuss 
some  of  its  limitations,  and  make  a  few  suggestions  for  further  research. 

2  A  Parallel  Programming  Language 

2.1  Syntax 

Our  programming  language  is  obtained  by  adding  two  features  to  a  simple  imperative  while-loop 
language:  a  form  of  parallel  composition,  and  a  “conditional  critical  region”  construct  [Hoa72]. 
Parallel  commands  interact  solely  through  their  effects  on  shared  variables.  There  are  four  syntactic 
sets:  Ide,  the  set  of  identifiers,  ranged  over  by  /;  Exp,  the  set  of  expressions,  ranged  over  by  E; 
BExp,  the  set  of  boolean  expressions  (or  conditions),  ranged  over  by  B;  and  Com,  the  set  of 
commands,  ranged  over  by  C.  The  abstract  syntax  for  identifiers,  expressions  and  conditions  will 
be  taken  for  granted;  ail  we  assume  is  that  identifiers  and  expressions  denote  integer  or  boolean 
values,  and  the  language  contains  the  usual  arithmetic  and  boolean  operators  and  constants.  For 
commands  we  specify  the  following  abstract  syntax: 

C  ::=  skip  |  I:=E  |  Ci;C2  i  if  B  then  Ci  else  C2  | 
while  5  do  C  I  (C1IIC2]  1  await  B  then  {€) 

The  command  skip  is  an  atomic  action  having  no  effect  on  program  variables.  An  assignment 
is  denoted  I:=E,  and  is  also  an  atomic  action.  Sequential  composition  is  represented  by  Ci;C2. 
A  parallel  composition  [Ci||C2]  is  executed  by  interleaving  the  atomic  actions  of  the  component 
commands  Ci  and  C2.  A  command  of  the  form  await  B  then  (C)  is  a  conditional  critical  region 
with  test  B  and  body  C;  we  impose  the  syntactic  constraint  that  the  body  C  should  be  a  finite 
sequence  of  assignments  (or  skip)^;  the  intended  semantics  will  be  to  execute  C  as  an  atomic 
step  when  B  is  true.  We  use  the  abbreviations  (C)  for  await  true  then  (C),  and  await  B  for 
await  B  then  (skip). 


'This  syntactic  constraint  is  not  theoretically  necessary,  and  causes  no  significant  loss  in  the  expressive  power  of 
the  programming  language,  but  seems  reasonable  in  order  to  guarantee  that  critical  regions  may  be  implemented 
easily. 
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2.2  Semantics 


In  describing  the  semantics  of  this  language,  we  will  focus  mainly  on  commands.  The  set  S  of 
states  consists  simply  of  the  functions  from  identifiers  to  denotable  values: 

5  =  [Ide  ^  V], 

where  V  is  the  set  of  integers  and  truth  values.  We  use  s  to  range  over  states,  and  we  write 
s  +  [/  •-►  u]  for  the  state  which  agrees  with  s  except  that  it  gives  identifier  /  the  value  v.  As 
usual,  the  value  denoted  by  an  expression  may  depend  on  the  values  of  its  free  identifiers.  Thus, 
we  assume  the  existence  of  a  semantic  function 

€  :  Exp  ^  [5  ^  V]. 

Similarly,  we  assume  given  a  semantic  function  B  :  BExp  — ►  [5  — ►  T],  where  T  =  is  the 

set  of  truth  values.  We  make  the  simplifying  assumption  that  ail  expressions  and  conditions  denote 
a  proper  value,  i.e.  that  evaluation  of  expressions  and  conditions  always  terminates.  Moreover, 
expression  evaluation  does  not  cause  any  side-effects. 

We  specify  the  semantics  of  commands  in  the  structural  operational  style  [Plo81],  and  our 
presentation  follows  that  of  [HP79].  We  define  first  an  abstract  machine  which  specifies  the  com¬ 
putations  of  a  command.  The  abstract  machine  is  given  by  a  labelled  transition  system 

(Conf,Lab,— ►), 

where  Conf  is  a  set  of  configurations^  Lab  is  a  set  of  labels  (ranged  over  by  a  and  fi),  and  — ►  is  a 
family 

|a  €  Lab} 

of  transition  relations  -^C  Conf  x  Conf  indexed  by  elements  of  Lab.  We  use  atomic  actions  as 
labels. 

For  convenience  we  introduce  a  term  null  to  represent  termination,  and  we  specify  (purely  for 
notational  purposes)  that 

[nullllC]  =  (Cllnull]  =  C, 
null;  C  —  C. 

The  set  of  configurations  is  Conf  =  (ComU  {null})  x  5.  A  configuration  of  the  form  (C,a)  will 
represent  a  stage  in  a  computation  at  which  the  remaining  command  to  be  executed  is  C,  and  the 
current  state  is  s.  A  configuration  of  the  form  (null,s)  represents  termination  in  the  given  state. 
A  transition  of  the  form 

(C,S)  (C',5') 

represents  a  computation  step  in  which  the  state  and  remaining  command  change  as  indicated, 
and  in  which  the  atomic  action  a  occurs.  We  write  (C,  s)  {C\  s')  when  there  is  an  a  for  which 
(C,  3)  {C',s').  And  we  use  the  notation  — ►*  for  the  reflexive  transitive  closure  of  this  relation. 

Thus  (C,s)  — ♦*  {C',s')  iff  there  is  a  sequence  of  atomic  actions  from  the  first  configuration  to  the 
second. 

The  transition  relation  is  defined  to  be  the  smallest  relation  on  configurations  satisfying  the 
syntax-directed  transition  rules  given  in  Figure  1.  This  means  that  a  transition  is  possible  if  and 
only  if  it  can  be  deduced  from  these  rules. 

Note  that  this  transition  system  specifies  that  a  parallel  composition  terminates  only  when  both 
components  have  terminated,  because  of  our  conventions  about  null:  we  have  ([CillCj],^) 
{€■2,3')  whenever  (Ci,s)  (null, s'),  for  instance. 
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(skip,  a)  (null,s) 

(/:=£,  s)  (nuU,s  +  [/  5p]]s]) 

{Cus)  ^  (c;,/) 
(Ci;C2,s)-^(Ci;C2,y) 

(Ci,s)^(C7;,s>) 

{[Ct\\C2],s)  ^  {[C{\\C2U) 

{C2,s)  ^  {C',,s') 

{[Ci\\C2hs)  ^  {[Cx\\C',U) 

=  tt  (C,  s)  -»•  (nuU,  s') 

(await  B  then  {C),s}  (null, s') 

B\[B]\s  =  tt 

(if  B  then  Ci  else  C2,s)  (Ci.s) 

_ =  ti _ 

(if  B  then  Ci  else  C2,s)  (C2,s) 

5[[5]]s  =  tt 

(while  B  do  C,s)  (C;  while  B  do  C,  s) 

gpB^  =  f  f 

(while  B  do  C,s)  (null,  •>) 

Figure  1:  Transition  Rules 
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2.3  Examples 

1.  The  command  [i:=i  +  l||a::=i  +  1]  has  two  transition  sequences  from  state  [i  >-».  0],  which 
produce  the  same  effect; 

{[x-.—x  +  l||x:=a:  +  l],[a;  >-+  0])  (x:=x  +  l,[i  i-*  1]) 

(null,  [x  I-+  2]). 

2.  The  command  [x:=2||(x:=l;i:=x  +  1)]  has  three  transition  sequences  from  [x  0]: 

([x;=2|j(x;=l;x;=x  +  0])  (x;=l;x;=x  +  l,[x  2]) 

(x:=x  +  l,[x  HH.  1]) 

*•^+1  (null,[x  2]) 

([x:=2||(x:=l;x:=x  +  l)],[x  0])  ([x:=2||x:=x  +  l],[x  •-+  1]) 

(x:=x  +  1,  [x  !-»•  2]) 

(null,[x  ^  3]) 

([x:=2||(x:=l;x:=x  +  l)],[x  0])  ([x:=2||x:=x  +  1], [x  !-►  1]) 

(x:=2,[xh^2]) 

(nuil,[x  2]). 

3.  From  any  initial  state  s  the  command 

[(i:=l; await  y  =  1  then  (i:=y  —  l))|l(y:=l; await  x  =  1)] 
can  perform  the  sequence  i:=l,  y:=l,  x:=y  —  1  and  reach  the  stuck  configuration 

(await  X  =  1,  s  +  [x  0, y  1]). 

The  command  also  has  a  successfully  terminating  computation  in  which  the  atomic  steps  are 
y:=l,  x:=l,  skip,  x:=y  -  1,  leading  to  the  final  configuration 

(null,s  +  [x  0,  y  ►--+  1]). 

2.4  Partial  Correctness  and  Deadlock 

A  computation  is  a  maximal  sequence  of  transitions;  in  general  a  command  may  have  both  finite 
and  infinite  computations.  A  computation  ending  in  a  configuration  of  form  (null,s)  represents 
successful  termination.  We  say  that  a  configuration  {C,s)  is  deadlocked  iff  it  cannot  perform  any 
atomic  action  but  has  not  terminated  successfully  (i.e.,  C  is  not  null).  Informally,  this  happens  iff 
C  is  an  await  command  whose  test  is  false  in  state  s,  or  C  is  a  sequential  composition  Ci;  Cj  and 
(Ci,s)  is  deadlocked,  or  C  is  a  parallel  composition  all  of  whose  components  are  deadlocked.  The 
following  definition  makes  this  precise. 
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Definition  2.1  The  predicate  stuck  on  configurations  is  the  least  relation  satisfying: 

=  ff 

stuck(await  B  then  {C),s) 
stuck(Ci,s) 

stuck(Ci;C'2,s) 

stuck(Ci,s)  stuck(C2,5) 
stuck([Ci||C'2],s) 

A  configuration  (C,  s)  is  deadlocked  iff  stuck(C,s)  is  provable  from  these  rules.  • 

There  are  thus  three  kinds  of  computation:  infinite,  finite  successful  and  finite  deadlocked.  Since  we 
are  concerned  here  with  partial  correctness  and  deadlock  we  will  focus  on  the  finite  computations. 
To  this  end  we  now  introduce  a  partial  correctness  semantic  function  At  and  a  deadlock  semantic 
function  V: 

Definition  2.2  The  semantic  functions  M,V  :  Conn  — >  [5  -♦  7^(5)]  are: 

M[[C]\s  =  {s'|{C,s)~.*(null,y)} 

T>[[C]]s  =  {s'\3C'.  {C,s)  {C',s')  &  stuck((C',s',M}  . 


A  conventional  partial  correctness  assertion  (pea)  has  the  form  {P}C  (Q),  where  P  and  Q  are 
conditions,  typically  drawn  from  a  fixed  first  order  language.  We  introduce  a  generalization:  partial 
correctness  and  deadlock  assertions. 

Definition  2.3  A  partial  correctness  and  deadlock  assertion  (peda)  has  the  form 

{p}C{g}(i?], 

where  P,Q  and  R  are  conditions;  we  call  P  the  pre-condition,  Q  the  termination  post-condition, 
and  R  the  deadlock  post-condition.  • 

The  peda  {P}C  {Q}  [P]  is  valid  iff  every  successful  computation  of  C  from  a  state  satisfying 
P  ends  in  a  state  satisfying  Q,  and  every  deadlocking  computation  of  C  from  a  state  satisfying  P 
gets  stuck  in  a  state  satisfying  R.  This  generalizes  the  usual  notion  of  validity  for  pea’s  in  a  natural 
manner.  In  particular,  an  assertion  of  the  form  {P}  C  {Q}  [false]  states  that  every  terminating 
computation  of  C  from  an  initial  state  satisfying  P  ends  successfully  in  a  state  satisfying  Q:  this 
is  a  combination  of  a  pea  with  deadlock- freedom. 

Definition  2.4  The  peda  {P}C  {Q}[P]  is  ua/jd  iff 

1.  Vs,s'.(5  ^  P  &  s' €  Af[[C]]s  =>  a' )=  Q); 

2.  Vs,  s'.(s  \=  P  k  s' €  Z7[[C]}s  =:►  s'  1=  R). 
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many  immediately  enabled  transitions.  Thus,  each  command  and  initial  state  determines  a  finitely 
branching,  possibly  infinitely  deep,  computation  tree. 

The  branching  structure  of  the  transition  system  suggests  that  we  adopt  a  class  of  tree-like 
assertions,  in  which  the  properties  of  intermediate  stages  of  a  computation  as  well  as  initial  and 
final  states  can  be  specified.  Moreover,  in  order  to  allow  the  proper  treatment  of  deadlock  and 
termination,  we  should  maintain  a  distinction  between  stuck  and  successful  final  states.  This 
suggests  that  we  employ  assertions  rather  like  Milner’s  labelled  synchronization  trees  [MilSO],  with 
atomic  actions  labelling  the  arcs,  but  with  pre-  and  post-conditions  for  each  arc  and  with  two  forms 
of  leaf  node:  •  for  termination  and  o  for  deadlock.  Following  Milner,  we  will  also  allow  the  use  of 
/i-notation  for  describing  infinite  trees  with  recursive  structure,  so  that  we  can  handle  loops  in  a 
straightforward  manner. 

However,  there  is  another  important  semantic  consideration  that  will  influence  our  choice  of 
assertion  language.  Hoare’s  logic  for  sequential  while-programs  enjoys  the  property  that,  for  any 
valid  pea  {P}C{Q}  there  is  a  proof  that  employs  a  single  pea  for  each  syntactic  subcommand 
of  C.  This  “single-threadedness”  property  is  the  key  to  the  definition  of  “proof  outline”  and  to 
Cook’s  proof  of  relative  completeness  [Coo78].  It  is  easy  to  see  that  parallel  programs  do  not  enjoy 
an  analogous  single-threadedness  property.  For  example,  to  show  the  validity  of  the  assertion 

{x  =  0}  [z:=z  +  l||z:=z  -f-  2]  {z  =  3} 

one  needs  (the  information  conveyed  by)  the  following  four  pea’s,  two  for  each  subcommand: 

{z  =  0}  z:=z  -f-  1  {z  =  1} , 

{z  =  2}  z:=z  +  1  {a:  =  3}  , 

{z  =  0}  z:=z  -b  2  {z  =  2}  , 
and  {z  =  1}  x:—x  -|-  2  {z  =  3}  . 

The  single-threadedness  property  will  also  fail  for  tree-structured  assertions,  unless  we  allow  the 
use  of  conjunctions  of  assertions.  We  will,  therefore,  include  conjunction  as  a  logical  connective  on 
assertions.  It  is  perhaps  worth  remarking  that  Hoare’s  logic  as  usually  formulated  for  sequential 
programs  does  not  use  (or  need)  conjunctions,  precisely  because  of  the  single-threadedness  property. 

With  these  considerations  in  mind,  we  are  now  ready  to  present  an  assertion  language. 

Definition  3.1  The  class  of  transition  assertions  (over  a  given  first-order  condition  language)  is 
given  by  the  following  grammar: 

n 

::=  PY^a,Pi(pi  \  Po  |  F#  \  0  \  ^0.(j)  \ 

«=i 

where  P  and  the  P,  are  conditions,  ^  is  a  meta-variable  ranging  over  transition  assertions,  and  the 
Oj  are  atomic  actions.  • 

Assertions  of  the  form  P»  and  Po  will  be  called  terminal  assertions;  we  use  •  to  represent 
termination  and  o  to  represent  deadlock.  An  assertion  of  the  form  is  called  recursive-,  /i  is  a 
binding  operator.  We  will  mainly  be  concerned  with  closed  assertions,  i.e.  assertions  containing 
no  free  assertion  variables. 

Our  notation  for  assertions  is  similar  to  Milner’s  linear  notation  for  synchronization  trees,  but 
with  conditions  built  into  the  tree  structure  and  with  two  types  of  NIL  tree^.  For  presentation 


^Like  Milner,  we  regard  the  sum  notation  as  denoting  a  set  of  branches,  so  that  we  treat  as  equivalent  assertions 
such  as  P(aQ^  -b  aQv)  +  and  P{PRi>  + 
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purposes,  we  will  sometimes  prefer  to  draw  an  assertion  as  a  tree,  or  as  a  DAG  when  several 
branches  lead  to  identical  sub-assertions.  For  example,  the  generic  assertion  PJ2?=i  be 

represented  as: 


P 


3.1  Validity 

In  order  to  express  the  property  that  a  command  C  satisfies  a  (closed)  assertion  <j>  we  write 

C  sat  4>. 

When  <i>  is  the  assertion  interpret  C  sat  (f>  in  the  following  way.  If  the 

command  is  started  in  a  state  satisfying  P,  then  its  initial  action  must  be  an  drawn  from  the 
set  of  initial  labels  of  the  assertion,  and  these  labels  are  precisely  the  initial  actions  possible  for  the 
command.  If  the  command  starts  with  an  action  it  reaches  a  state  where  Pi  is  true  and  where 
the  remaining  command  satisfies  4>i.  Formally,  we  say  that 

n 

^  C  sat  P  ^  oiiPi(f>i 

«=i 

iff,  for  all  s,a,C*,s': 

(s  [=  P  &  (CfS)  {C',s')  =>  3i  <  n.  a  =  a,-  &  s'  ^  P,  &  C'  ^  d>i),  (1) 

and,  for  all  s,  i, 

{s^P  3C„s,.  (C,s)  ^  (C.,s.)),  (2) 

so  that  all  of  the  actions  specified  in  4>  are  indeed  possible  for  C  when  the  initial  state  satisfies  P. 
We  interpret  the  two  terminal  cases  as  follows: 

)=  C  sat  P*  C  =  null, 

since  null  represents  unequivocal  termination:  Tnd 

[=  C  sat  Po  Vs.(s  1=  P  =>  stuck(C,  s)), 

since  deadlock  depends  on  the  current  state. 

We  interpret  a  recursive  assertion  ^i0.4>  as  follows.  Let 

9q  =  {false}  •, 
and  9n+i  =  [0n  \  ^]<i>  for  n  >  0. 

Each  9n  is  obtained  by  unfolding  the  recursive  assertion  a  finite  number  of  times.  The  logical 
properties  of  ^9.4>  are  uniquely  determined  from  those  of  its  unfoldings:  we  specify  that 

^  C  sat  fjL9.4>  <=>  Vn  >  0.(^  C  sat  9^). 

Finally,  ^  C  sat  (0i  &  <i>2)  iff  }=  G  sat  <p\  and  C  sat  <^2- 
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3.2  Some  Examples 

1.  The  command  [x:=x  -I-  l||x:=x  +  1]  satisfies  the  assertion 

{x  =  0}  x;=x  +  1  {x  =  1}  {x  =  1}  x;=x  +  1  {x  =  2}  {x  =  2}  • 

It  also  satisfies 

{x  =  0}  x:=x  +  1  {x  =  1}  {x  =  99}  x:=x  -|-  1  {x  =  100}  {true}  •  . 

2.  The  command  [x:=2||(x:=l;  x:=x  +  1)]  satisfies  the  assertion 

true 


x:=x+l  x:=x  +  l  x:=2 

x=2  x=3  x=2 

x=2  x=3  x=2 

•  •  • 

3.  The  loop  while  x  >  0  do  x:=x  —  1  satisfies  the  recursive  as';ertion 

nO.  {x  >  0}  X  >  0  {x  >  0}  {x  >  0}  x:=x  —  1  {x  >  0}  ^ 

and  also  the  assertion  {i  <  0}  i  >  0  {x  <  0}  {true}  •  .  It  also  satisfies  the  assertion 

nd.{  {x  >  0}  X  >  0  {x  >  0}  {x  >  0}  x:=x  -  1  {x  >  0}  ^ 

X  {x  <  0}  X  >  0  {x  <  0}  {true}  •). 

3.3  Parallel  composition  of  assertions 

We  now  define  a  syntactic  parallel  composition  for  assertions.  The  definition  is  given  inductively. 
When  one  of  the  assertions  is  terminal,  we  specify  that 

[P*\\QY:7=x(ijQ:^A  =  {PkQ}7:7=x0:QAP*m^ 

and  similarly  when  the  two  terms  are  exchanged.  When  both  assertions  are  terminal  we  put 

P.\\Q.  =  {PkQ}. 

p  o  HQ.  =  P  •  ilQo  =  p  o  llQo  =  {PkQ}  O  . 
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These  definitions  express  the  fact  that,  according  to  the  operational  semantics,  a  parallel  program 
terminates  when  all  of  its  components  have  terminated  and  deadlocks  when  all  of  its  components 
deadlock.  Note  for  instance  that,  for  all  V’, 

[{true}  •  IIV’]  =  [t/'ll  {true}  •]  =  rjj. 

(Strictly  speaking,  these  are  logical  equivalences  rather  than  syntactic  identities.)  This  corresponds 
to  the  fact  that  once  a  parallel  component  of  a  program  terminates  successfully  the  rest  of  the 
program  can  continue  executing. 

The  inductive  clause  is  an  extension  of  the  interleaving  operation  on  synchronization  trees 
[6,24,28],  modified  to  handle  the  conditions  and  conjuncts  in  an  appropriate  manner.  For  assertions 
<i>  and  ^  of  the  form 

n  m 

i=i  j=i 

we  define 

i=i  i=i 

Note  that  as  far  as  the  action  sequences  are  concerned  the  operation  corresponds  exactly  to 
interleaving  of  trees. 

We  extend  this  definition  to  deal  with  conjunction  as  follows.  When  <f>  and  ^  are  conjunctions, 
[<f>\\i>]  is  defined  to  be  a  conjunction.  For  each  conjunct  PTa=i  ciiPi4>i  of  <i>  and  each  conjunct 
Q  PjQji^j  of  V’  we  include  in  [4>\\i}\  a  conjunct  of  the  form: 

n  m 

{P&g}(^a.P.[</>.||^]  + 

.=1  i=l 

When  (j)  and  ^  are  simple  assertions  this  is  exactly  the  same  definition  as  before. 

The  following  result  shows  that  parallel  composition  of  assertions  does  indeed  have  the  correct 
effect:  if  Ci  satisfies  <i>  and  C2  satisfies  rp  then  [C1IIC2]  satisfies 

Theorem  3.2  If  \=  C\  sat  <p  [=  C2  sat  tp  then  \=  [CiUC^j  sat  [<^|1V’]- 

3.4  Sequential  composition  of  assertions 

We  also  define  a  sequential  composition  0;  ip  for  assertions,  whose  effect  is  to  graft  a  copy  of  ip  onto 
the  terminated  nodes  of  cp.  The  definition  is  again  inductive. 

In  the  base  cases,  we  put 


m  m 

P»-, 

j=i  j=i 


and 

When  <p  is  P{Yl7=i  o»Pt<f>t)  we  put 


Po;  Ip  =  P  o  . 


(p\ib  =  P'^a^P^{<pi\ip). 
1=1 
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To  handle  conjunctions  we  let  {<j>i^4>2)i‘>P  =  (<^i;  0)&(<A2;  V’)  and  similarly  when  we  have  a 
conjunction  in  the  second  place;  in  other  words,  sequential  composition  distributes  over  conjunc¬ 
tion. 

Again  it  is  easy  to  show  that  this  syntactic  operation  on  assertions  correctly  models  sequential 
composition  of  programs. 

Theorem  3.3  //[=  Ci  sat  4>  and  [=  C2  sat  ip  then  ^  (Ci;C2)  sat 
3.5  Implication 

We  define  a  notion  of  implication  <f>  ip  between  assertions,  with  the  intention  that  whenever  </> 
implies  Ip  then  any  command  satisfying  <p  will  also  satisfy  ip.  The  definition  relies  on  the  usual 
form  of  implication  P  ^  Q  between  conditions.  The  main  idea  is  that  <p  implies  ip  when  ip  arises 
from  <p  by  strengthening  pre-conditions  and/or  weakening  post-conditions.  This  is  closely  related 
to  the  familiar  Rule  of  Consequence  in  Hoare’s  logic  for  while-programs,  which  is  usually  written 
in  the  form: 

P'^P  {P}C{Q}  Q^Q' 

incm 

This  rule  can  equally  well  be  viewed  as  a  rule  of  modus  ponens  for  pea’s,  if  we  define  a  form  of 
implication  on  pea’s  by: 

{P}C{Q}  =►  {P'}C{Q'}  ^  (P' ^  P)  Sc  (Q  :=>  Q'). 

The  following  definitions  adapt  this  idea  to  our  assertion  language. 

For  <p  =  PJ2^-i  QiPx<Pi  and  ip  =  Q  aiQiipi,  we  define: 

n  n 

{<p  Ip)  <=►  {Q  =>  P)  Sc /\{Pi  =>  Qi)  k  /\{(pi  ipi). 

1=1  1=1 

For  the  base  cases,  we  define 

=>  Q  =>  P, 

Po  ^  Qo  <=>  Q  =>  P. 

We  extend  implication  to  conjunctions  in  the  obvious  way: 

{(pi  k  4>2)  =>  <Pi 
{<px  k  <p2)  =>  d>2 


For  a  recursive  assertion  we  define: 


pe.<p  -:=>  [{p9.<p)  \  e]<p, 

where  [ip\0](p  denotes  the  result  of  substituting  ip  for  each  free  occurrence  of  B  in  </>,  with  renaming 
of  bound  variables  if  necessary  to  avoid  capturing  any  of  the  free  assertion  variables  of  ip. 

We  also  employ  the  following  inference  rule,  based  on  the  usual  kind  of  //-induction  rule  (see 
for  instance  [Sco76,  Par70]): 

Ip  B  h  Ip  ^  <p 
Ip  =>  pB.(p 

where  ip  is  closed  and  B  may  occur  free  in  (p. 
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The  following  forward  propagation  rule  is  useful  for  strengthening  an  assertion,  by  using  partial 
correctness  properties  of  its  atomic  actions: 

i=l  .=1 

This  rule  may  be  applied  either  locally,  at  a  particular  sub-assertion  of  a  general  assertion  <^,  or 
systematically,  beginning  by  conjoining  a  condition  Q  to  the  root  node  of  4>  and  repeating  the 
operation  with  condition  Pik,Qi  on  the  0^,  and  so  on  recursively. 

The  following  result  shows  that  this  form  of  implication  behaves  logically  as  expected: 

Theorem  3.4  For  all  C,  4>  and  V>,  if  \=  C  sat  <(>  and  <f>  ijj,  then  |=  C  sat  V’- 


3.6  Safe  assertions 

In  the  syntactic  definition  of  the  class  of  transition  assertions,  we  did  not  require  that  any  logical 
connection  exist  between  adjacent  “intermediate”  conditions  inside  an  assertion.  Assertions  in 
which  every  internal  post-condition  logically  implies  the  immediately  adjacent  condition  can  be 
regarded  as  describing  the  behavior  of  a  command  executed  in  isolation,  since  intuitively  the 
command  can  progress  along  the  paths  described  by  the  assertion  without  requiring  interference 
or  outside  intervention.  We  will  call  such  assertions  safe.  There  are  good  semantic  reasons  for  not 
making  this  constraint  part  of  the  syntactic  definition  of  our  assertion  language,  since  in  general 
information  solely  about  the  safe  assertions  satisfied  by  a  program  may  be  insufficient  to  characterize 
the  behavior  of  that  program  in  all  parallel  contexts.  Nevertheless,  since  safe  assertions  are  closely 
related  to  pcda’s  we  find  it  convenient  to  subject  them  to  some  special  treatment. 


Definition  3.5  For  each  assertion  <f>  the  “root  pre-condition”  root((/>)  is  defined  by: 


TOOt{P'£tzl(^iPi<l>i)  =  P 

root(Po)  =  root(P#)  =  P 
root(<^i&d»2)  =  root(0i)  V  root((^2) 
xoot{p.d  .(j))  =  root(<^) 
root(^)  =  false 


The  “termination  post-condition”  term(<^)  and  “deadlock  post-condition” 


dead(<^)  are  defined  by: 


iexTa{PYJi=iOtiPi<t>i)  =  V"=i  term(<A,) 
term(Po)  =  false 
term(P*)  =  P 

term(<^i&d*2)  =  term(</)i)  V  term(<f»2) 
term(d)  =  false 
term(/i^.<f>)  =  term(<^) 


dead(P^;Li  =  Vr=i  dead(<?i>,) 

dead(Po)  =  P 
dead(P*)  =  false 

dead((^i&02)  =  dead(</>i)  V  dead(<^) 
dead(^)  =  false 
dead(^^.(^)  =  dead(<f>) 


• 

Informally,  root(<^)  is  the  pre-condition  at  the  start  of  (f>,  term(<^)  is  the  disjunction  of  the  conditions 
at  terminated  nodes  of  <^,  and  dead((^)  is  the  disjunction  of  the  conditions  at  deadlocked  nodes  of 

<i>. 
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A  terminal  assertion  is  safe,  and  ^52?=!  <^iPi4>i  is  safe  iff  for  each  i,  Pi  =>  root(<^,)  and  <t>i  is 
sade.  A  recursive  assertion  is  safe  if  the  condition  immediately  preceding  each  occurrence  of  9 
implies  root(<^)  and  4>  is  safe  at  all  other  nodes. 

A  precise  definition  of  what  it  means  for  an  assertion  to  be  safe  follows: 

Definition  3.6  The  predicate  safe  on  assertions  is  the  least  predicate  satisfying: 

h  safe(Po) 

I-  safe(P«) 


n  n 

/\  {Pi  =►  root(^,))  f\  safe(<^,) 

i=i  t=i 


safe(  P  ^  aiPi4>i) 

t=i 

safe(<^i)  safe(^2) 
safe(<^i&<^) 

safe([root(<^)  •  \^]<^) 
safe(/i^.<^) 


Safe  assertions  are  fundamental  in  reasoning  about  conditional  critical  regions,  because  when 
await  B  then  (C)  is  executed  from  a  state  in  which  B  is  true,  the  effect  is  to  execute  C  without 
allowing  interruption.  Thus,  whenever  C  sat  (f)  and  safe(<^),  the  command  await  B  then  {C) 
will  satisfy  the  assertion 

{root(0)  &  B}  {C)  {term(<^)}  {true}  •  . 

Safe  assertions  are  of  particular  importance  since  they  can  be  used  directly  to  derive  partial 
correctness  and  deadlock  assertions,  as  shown  by  the  following  result.  The  proof  is  straightforward. 

Theorem  3.7  If\=C  sat  and  sa/e(<^),  then  [=  {roo<(<^)}  C  {<erm(<^)}  [<iea<i((^)]. 

Note  that  parallel  composition  is  not  guaranteed  to  produce  safe  assertions,  even  if  the  com¬ 
ponent  assertions  are  safe.  The  same  holds  for  sequential  composition.  Nevertheless,  the  following 
simple  result  is  useful: 

Theorem  3.8  If  <f>  and  ^  ore  safe  and  {term{4>)  =>  root{rl;))  then  is  safe. 

It  is  obvious  that  an  assertion  in  which  every  internal  post-condition  is  identical  to  the  adjacent 
pre-condition  will  be  safe.  There  is  clearly  some  redundancy  in  using  the  full  syntax  given  earlier  for 
assertions  like  this.  It  is  therefore  convenient  to  adopt  an  abbreviated  notation  for  this  sub-class  of 
the  safe  assertions,  in  which  we  only  mention  each  internal  condition  once.  We  therefore  introduce 
the  following  syntax. 
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Definition  3.9  The  class  of  abbreviated  safe  assertions,  ranged  over  by  meta- variable  a,  is  defined 
by  the  following  grammar: 

n 

<r  ::=  P^ai<Ti  j  Po  |  |  d  |  |  (Ti&(T2, 

1=1 

in  which  P  and  the  Pi  are  conditions.  • 

3.7  Program  skeletons 

Every  program  has  a  characteristic  safe  assertion  that  describes  the  possible  control  paths  through 
the  program,  using  conjunction  to  deal  with  cases  where  the  flow  of  control  may  be  affected  by 
interference.  We  call  this  kind  of  assertion  a  program  skeleton. 

Definition  3.10  The  skeleton  skel(C)  of  a  program  C  is  defined,  by  induction  on  the  syntactic 
structure  of  C,  by: 

skel(skip)  =  {true}skip{true}{true}* 
skel(/:=P)  =  {true}/:=P{true}{true}« 
skel(Ci;C2)=  skel(Ci);skel(C2) 
skel([Ci||C2l)  =  skel(Ci)||skel(C2) 
skel(if  B  then  C\  else  C2)  =  {i3}P{true}skel(Ci) 

& 

=  {-•P}P{true}skel(C2) 
skel(await  B  then  {€))  =  {P}{C){true}{true}* 

& 

=  {--Pjo 

skel( while  B  do  C)  =  /i^.[{P}P{true}(skel(C); 

& 

{-'P}P  {true}  {true}*] 

• 

The  following  result,  easily  proved  by  induction  on  C,  is  indicative  of  the  utility  of  program 
skeletons. 

Theorem  3.11  For  every  command  C,  the  assertion  skeJ{C)  is  safe  and  is  satisfied  by  C. 

3.8  Examples,  revisited 

We  return  briefly  to  some  assertions  discussed  earlier. 

1.  The  assertion 

{x  =  0}x:=x  +  l{x  =  l}{x  =  l}i:=i  +  l{i  =  2}{x  =  2}* 

is  safe,  has  root  condition  x  =  0,  termination  condition  x  =  2,  and  deadlock  condition  fiilse. 
There  is  also  an  obvious  abbreviated  form  for  this  assertion.  In  contrast,  the  assertion 

{x  =  0}x:=x  +  l{x  =  l}{x  =  99}x:=x  +  l{x  =  100}{true}* 

is  not  safe,  but  is  nevertheless  satisfied  by  x:=x  +  l;x:=x  +  1. 
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2.  The  assertion 


true 


X  =  1  X  =  2  X  =  2 

X  =  I  X  =  2  true 


x:=x  +  1 


x:=x  +  1 


x:=2 


X  =  3 
X  =  3 


X 

X 


2 

2 


is  safe,  has  root  true,  termination  condition  x  =  2  V  x  =  3,  and  deadlock  condition  false.  At 
the  internal  nodes  where  adjacent  conditions  do  not  coincide  the  reason  is  that  the  next  step 
behavior  of  the  program  once  it  has  reached  the  corresponding  point  in  its  execution  does 
not  depend  on  there  being  no  interference  before  the  program  resumes;  hence  the  use  of  true 
as  the  “resumption  pre-condition”. 

An  abbreviated  form  of  safe  assertion  satisfied  by  this  command  is: 


true 


x:=i  +  1 


x;=x  -b  1 


x:=2 


x  =  2  x  =  3  X=:2 

•  •  • 
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3.  The  skeleton  of  the  command  [x:=2||(i:=l;x;=x  +  1)]  is  the  assertion: 


true 


true  true  true 

true  true  true 


x:=x  +  1 


x:=x  +  1 


x:=2 


true  true  true 

true  true  true 

•  •  • 


The  safe  assertions  given  above  for  this  command  may  be  easily  derived  by  forward  propa¬ 
gation. 

4.  The  assertion 

>  0}x  >  0{x  >  0}{x  >  0}x:=x  -  l{x  >  Q)0) 
is  not  safe,  because  x  >  0  does  not  imply  x  >  0.  However,  the  assertion 

nd.{  {x  >  0}  X  >  0  {x  >  0}  {x  >  0}  x:=x  -  1  {x  >  0}  ^ 

&  {x  <  0}  X  >  0  {x  <  0}  {true}  •) 

is  safe.  Its  root  is  i  >  0  V  i  <  0,  its  termination  condition  is  true,  and  its  deadlock  condition 
is  ff . 

3.9  A  Proof  System  for  Transition  Assertions 

Using  the  definitions  and  results  accumulated  so  far,  we  are  led  to  the  collection  of  axioms  and 
inference  rules  summarized  in  Figure  3.  Validity  of  each  axiom  is  clear,  the  soundness  of  most 
of  the  inference  rules  has  already  been  discussed,  and  the  remaining  cases  (for  instance,  dealing 
with  if-then-else)  are  obviously  sound.  These  rules  and  axioms  are  based  closely  on  the  operational 
semantics  presented  in  Figure  1. 
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I-  skip  sat  {P}  skip  {P}  {true}  • 
h  I.=E  sat  {[P  \  I]P}  I:=E  {P}  {true}  • 
h  await  B  then  (C)  sat  {-iP}o 
C  sat  (f)  safe(</>) 

await  B  then  (C)  sat  {root(<^)&P}  {C)  {term(<^)}  {true}  • 

Cl  sat 

if  B  then  Ci  ebe  C2  sat  {P&P}  B  {P} 

C2  sat  4^2 

if  B  then  Ci  else  C2  sat  {P&->P}  B  {P} 

C  sat  4> 

while  B  do  C  sat  n9.[{PkB)  B  {P}  9)  k  {Pk-^B)  B  {P}  (true)  •] 


Cl  sat  4> 

C2  sat  V’ 

[C1IIC2]  sat  [4>\\4;] 

Cl  sat  4> 

C2  sat  ^ 

Ci'.Cj 

sat  4>\  xjj 

C  sat  4> 

C  sat  0 

C  sat  {(pScTp) 

C  sat  4> 

<i>=>  Ip 

C  sat  V’ 

C  sat  <f>  safe((/>) 


{root(0)}C7  {term(<^)}  [dead(<^)] 

Figure  3:  Axioms  and  Proof  Rules  for  Transition  Assertions 


18 


4  Examples 

We  begin  with  a  few  very  simple  example  programs  to  illustrate  the  ideas. 

1.  We  wish  to  prove  that  [a::=i  +  l||i:=x  +  1]  satisfies  the  assertion 

{i  =  0}  i:=i  +  1  {x  =  1}  {i  =  1}  x:=x  +  1  {x  =  2}  {i  =  2}  •  . 

It  is  easy  to  prove  the  following  assertion  for  x;=x  +  1: 

{x  =  0}  x;=x  +  1  {x  =  1}  {x  =  1}  • 

&  {x  =  1}  x:=x  +  1  {x  =  2}  {x  =  2}  • 

The  parallel  composition  of  this  assertion  (say,  <p)  with  itself  has  four  conjuncts,  one  of  which 
is  logically  equivalent  to: 

{x  =  0}  x:=x  +  1  {x  =  1}  (^. 

But  <^  =>  {x  =  l}x:=x  +  1  {x  =  2}  {x  =  2}*.  Hence,  [<j>\\(t>\  implies  the  desired  assertion. 

2.  We  can  prove  that  the  command  x:=x  +  l;x:=x  +  1  satisfies  the  assertion 

{x  =  0}  x:=x  +  1  {x  =  1}  {x  =  99}  x:=x  +  1  {x  =  100}  {true}  •, 
by  forming  the  sequential  composition  of  the  assertions 

{x  =  0}  x:=x  +  1  {x  =  1}  {true}  •,  {x  =  99}  x:=x  +  1  {x  =  100}  {true}  •  . 


3.  It  is  easy  to  prove  that  x:=2  satisfies  the  assertion 

{true}x:=2{x  =  2}{true}  •  . 

Similarly,  x:=l  satisfies 

{true}x:=l{x  =  l}{true}« 

and,  using  the  rule  for  &-introduction,  x:=x  +  1  satisfies 

{x  =  l}x:=x  +  l{x  =  2}{true}  •  &  {x  =  2}x:=x  -f  l{x  =  3}{true}# 

By  the  rule  for  sequential  composition  it  follows  that  x:=l;  x:=x  +  1  satisfies  the  assertion: 

true 

x  :=  1 
X  =  1 

X  =  1  &  X  =  2 


X  :=  X  +  1 


X  :=  X  +  1 


X  =  2 

true 


X  =  3 

true 
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The  parallel  composition  of  these  assertions  implies  the  following  assertion,  which  can  there¬ 
fore  be  derived  for  the  program  [i;=2||(i:=l;  i:=i  -|-  1)]: 


true 


x:=x  +  1 


x:=x  4-  1 


x:=2 


X  =  2  1  =  3  x  =  2 

true  true  true 

•  •  • 


This  assertion  obviously  implies  the  assertion  given  earlier  for  the  same  program. 

Now  we  progress  to  some  more  complicated  examples  whose  correctness  proofs  require  larger  and 
more  intricate  assertions.  These  examples  are  based  on  classic  problems  in  parallel  programming: 
coordination  of  producer  and  consumer  processes,  guaranteeing  mutual  exclusion,  and  partition  of 
a  set.  For  the  origins  of  these  problems  and  classic  programming  solutions  see  for  instance  [Dij68] 
and  the  more  recent  discussions  in  [Bar85,  BA82,  A091]. 

4.1  Producer  and  Consumer 

Suppose  a  producer  process  and  a  consumer  process  interact  by  means  of  a  buffer,  modelled  as  a 
queue  on  which  insertion  and  deletion  operations  may  be  performed.  We  discuss  a  parallel  program 
using  semaphores,  based  on  Dijkstra’s  solution  to  the  producer-consumer  problem  in  [Dij68].  A 
semaphore,  as  introduced  by  Dijkstra,  is  an  integer-valued  variable,  say  s,  on  which  the  only  allowed 
operations  after  initialization  are: 

P{s)  =  await  s  >  0  then  s:=s  -  1, 

V"(s)  =  s:=s-|-i. 

A  binary  semaphore  is  a  semaphore  whose  value  is  constrained  to  be  either  0  or  1. 

Our  program  uses  three  semaphores  e,  f,  and  6,  of  which  6  is  binary.  Intuitively,  e  >  0  means 
that  the  buffer  is  not  empty,  /  >  0  means  that  the  buffer  is  not  full,  and  the  value  of  b  is  either  0 
(buffer  being  accessed)  or  1  (buffer  not  being  accessed).  Suppose  the  protocols  by  means  of  which 
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the  processes  gain  access  to  the  buffer  are: 

CON  ::  await  e  >  0  then  e  :=  e  —  1; 

await  b  >  0  then  b  :=  b  -  1; 
rem(x); 

/:=/+!; 

b:=b+l 

PRO  await  /  >  0  then  /  ;=  /  -  1; 

await  6  >  0  then  6  :=  6  —  1; 
ins(y); 
e  :=  €+  1; 
b:=b  +  l 

This  program  design  is  based  on  the  idea  that  a  consumer  should  wait  until  the  buffer  is  not  empty 
before  trying  to  gain  exclusive  access  to  the  buffer  for  removing  an  item,  and  a  producer  should 
likewise  wait  until  the  buffer  is  not  full  before  requesting  access.  The  details  of  how  the  buffer  and 
its  insertion  and  deletion  operations  are  implemented  do  not  matter  for  this  analysis. 

If  we  execute  CON || PRO  from  an  initial  state  in  which  the  buffer  is  available  (b  =  1),  fuU 
(/  =  0)  and  not  empty  (e  >  0),  the  producer  must  wait  until  the  consumer  has  finished  removing 
an  item  before  gaining  access  for  an  insertion.  This  property  is  expressed  by  the  safe  assertion 
in  Figure  4,  which  is  presented  in  the  abbreviated  notation  and  uses  comma  for  conjunction  of 
conditions. 

This  assertion  may  itself  be  proven  by  forming  the  parallel  composition  of  assertions  <bcoN 
(Figure  5)  and  <i>PRO  (Figure  6),  which  are  easy  to  prove  for  CON  and  PRO  respectively.  Again 
the  figures  use  the  abbreviated  notation. 

The  pcda 

{e>0&/  =  0&  6=  l}CON||PRO{e  >0&/  =  0&  6=  l}[false] 

is  derivable,  showing  absence  of  deadlock. 

However,  if  the  producer  uses  a  poorly  designed  protocol  such  as: 

PRO'  ::  await  6  >  0  then  6  :=  6  -  1; 

await  /  >  0  then  /:=/-!; 
ins{y)\ 
e  :=  e  +  1; 

6  :=  6  +  1 

there  is  a  possible  deadlock,  caused  when  the  producer  grabs  access  to  the  buffer  even  though  the 
buffer  is  still  full,  thereby  preventing  the  consumer  from  gaining  access.  This  is  shown  by  the  safe 
assertion  in  Figure  7.  We  leave  it  as  an  exercise  to  find  assertions  for  PRO  and  CON'  whose  parallel 
composition  implies  this  assertion.  Clearly  the  pcda 

{c>0&/  =  0&  6=  l}CON||PRO'{e  >0&/  =  0&  6=  l}[e  >0  &  /  =  0&  6  =  0] 
is  derivable. 
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e>0,/  =  0,6=l 


Figure  4;  An  assertion  satisfied  by  CON|jPRO 
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IV  IV 


e  >  0,/  =  0,6=  1 

e~e—l 

e>0,/  =  0,6=  1 
6:=6-l| 


e>0,f  =  0,6  =  0 
rem(x)j 

e>0,/  =  0,6=0 

/:=/+l| 


e  >  0,/  =  1,6  =  0 

e>0,/=l,6  =  0  &  e>0,/  =  0,6  =  0 


6:=6+l| 

e  >  0,/  =  1,6=  1 


|6:=6+1 

e  >  0,/  =  0,6  =  1 


Figure  5:  An  assertion  4>con  satisfied  by  CON 


e>0,/=l,6=l  & 

/:=/-! 

0,/  =  0,6=  1 
0,/  =  0,6=  1 

6:=6-l 

e>0,/  =  0,6  =  0 

ins{y) 

e>0,/  =  0,6  =  0 

e:=e+l 

e>0,/  =  0,6  =  0 


€>0,/=  1,6  =  0  k 

/:=/-! 

e>0,/=  1,6  =  0 

e  >  0,/  =  0,6  =  1 

6;=6-l 

e>0,/  =  0,6  =  0 
ins{y) 

e  >  0,/  =  0,6  =  0 
e:=e+l 

e>0,/  =  0,6  =  0 


/  =  0 


6:=6+l 


6:=6+l 


e  >  0,  /  =  0,6  =  1 


e  >  0,/  =  0,6  =  1 


Figure  6;  An  assertion  4>pro  satisfied  by  PRO 
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4.2  Peterson’s  algorithm  for  mutual  exclusion 

This  example  is  based  on  Peterson’s  mutual  exclusion  algorithm  [PetSl],  in  which  two  processes 
repeatedly  execute  a  loop  containing  a  critical  section  and  we  must  guarantee  that  they  are  never 
simultaneously  inside  their  critical  sections.  A  correctness  proof  for  a  version  of  this  algorithm, 
given  in  the  Owicki-Gries  style,  occurs  in  [A091]. 

In  Peterson’s  algorithm,  each  process  sets  a  boolean  “readiness”  variable  (here  r^,  respectively, 
r2)  when  it  intends  to  enter  its  critical  section  then  temporarily  gives  the  other  process  a  chance 
to  enter  (by  setting  the  shared  variable  t),  and  waits  until  either  it  has  the  right  to  enter  or  the 
other  process  is  not  ready.  Upon  leaving  the  critical  section  a  process  signals  that  it  is  no  longer 
ready,  and  begins  the  cycle  again.  The  value  of  t  indicates  which  process  gets  to  enter  its  critical 
section  in  case  both  are  ready  simultaneously. 

We  consider  processes  whose  critical  sections  are  x:=x  +  +  1  and  y:=x  respectively, 

so  we  are  treating  the  variable  i  as  a  critical  resource.  We  focus  on  one  parallel  iteration  of 
the  two  processes,  after  they  have  both  set  their  readiness  flag  and  i  is  initially  1.  It  would  be 
straightforward  to  extend  our  analysis  to  the  full  algorithm,  which  corresponds  to  the  parallel 
composition  of  two  while-loops. 

Consider,  then,  the  execution  of  the  program  fragment  LEFT||RIGHT,  where 

LEFT  ::  t  :=  2; 

await  -ir2  V  (t  =  j; 

X  :=  "  T  i, 

X  :=  X  -t- 1; 

1  :=  false 

RIGHT;;  t;=l; 

await  -Ti  V  (t  =  2); 
y  ■■=  x; 
r2  :=  false 

and  where  we  assume  that  initially  ri  and  r2  have  been  set  to  true  and  t  =  1. 

The  assertion  for  LEFT|| RIGHT  given  in  Figure  8  can  be  proven.  In  the  diagram  we  use  the 
abbreviations  Cx  and  Cy  for  even{x)  and  even{y)  respectively.  From  this  (safe)  assertion  the  pcda 

{ri  &  r2  &  t  =  1  &  et;en(x)}  [LEFTfjRIGHT]  {-Ti  &  -^2  &  even(i/)}  [false] 

is  easily  derivable.  Note  that  if  mutual  exclusion  were  violated  it  would  be  possible  for  the  program 
to  terminate  with  y  odd.  We  have  also  proven  absence  of  deadlock. 
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r^,  r2j  t  —  1)  ^2: 


=  2,ex  T\,r2,t  =  l,ex 


Tx,T2,t  =  Utx:  ri,r2,t  =  2,e, 


—  1  j  £2 


i:=x4-l/ 
ri,r2,t  =  l,-^ex 


x:=x+L 


ri:= falsey^ 
7*^,7*2^i  —  l^C^; 


rrv(<  =  2f 


^1)  J’2)  i  =  1,  Ci 


^1 )  ^2i  ^ 

r2:=false\ 


frv(<  =  2) 


»  ^2»  ^  —  2,  61 


*  2jCy 

'\^;= /o/se 

ri,r2,f  =  2,ey 
/%V(f  =  l) 
ri,f^,<  =  2,ej, 

^^/x:=x+l 

=  2,e„ 

l,e,  _  /4:«+l 

V  ^li^2>^  —  2,  Cy 

^  y^Ti-.= false 

T'j  ^  7*2  ^  ^  ”  ^?^y  7  '^'2 1 1  —  2^  £y 


Figure  8:  An  assertion  satisfied  by  LEFT||RIGHT 
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4.3  The  Set  Partition  Problem 


The  Set  Partition  Problem,  essentially  a  parallelized  version  of  one  of  the  fundamental  operations 
in  the  quicksort  algorithm,  was  used  by  Barringer  [Bar85]  as  a  standard  example  illustrating  the 
utility  of  various  proof  systems  for  parallel  programs.  Barringer’s  program  is  based  on  a  solution 
of  Dijkstra.  Here  we  show  briefly  how  this  problem  can  be  treated  in  our  proof  system. 

Suppose  we  have  two  disjoint  finite  sets  of  integers  represented  by  the  variables  5  and  T,  whose 
union  is  initially  the  set  A.  Assume  that  we  are  provided  with  an  atomic  insert /delete  operation 
S:—x+y  whose  effect  (provided  x  is  in  the  set  represented  by  5)  is  to  remove  x  and  insert  y. 

We  want  to  transform  5  and  T  so  that  the  union  of  the  two  sets  is  preserved,  disjointness  is 
maintained,  the  size  of  each  set  is  preserved,  and  every  member  of  S  is  smaller  than  every  member 
of  T.  We  want  to  do  this  by  running  two  loops  in  parallel,  one  operating  on  each  set,  sharing 
variables  which  are  used  for  ensuring  correct  cooperation.  We  want  the  parallel  program  to  be 
partially  correct  with  respect  to  the  precondition  PRE  and  post-condition  POST  given  by: 

PRE:  5uT  =  A&5nT={}&|5|  =  s&|r|  =  < 

POST  :  5uT  =  A&  5nT  =  {}&|5|  =  s&|r|  =  t&:  max{S)  <  min(T) 

We  also  want  the  program  to  be  free  of  deadlock^. 

The  following  program  solves  this  problem: 

vnx  :=  Tnax{S);  mn  :=  min(T); 
rmx  :=  true;  rmn  :=  true; 
doneS  false;  doneT  :=  false; 

SMALL||LARGE 


where 


SMALL  ::  await  rmn; 

while  mx  >  mn  do 
rmn  :=  false; 
S:-mx+mn] 
doneS  :=  true; 
await  doneT; 
doneT  :=  false; 
mx  :=  max{S); 
rmx  :=  true; 
await  rmn 


LARGE  ::  await  rmx; 

while  mx  >  mn  do 
rmx  :=  false; 
T:-mn+mx; 
doneT  :=  true; 
await  doneS; 
doneS  :=  false; 
mn  :=  min{T); 
rmn  :=  true; 
await  rmx 


Figure  9  shows  an  assertion  d>s  satisfied  by  the  SMALL  command;  the  corresponding  assertion  <I>t 
for  the  LARGE  command  is  obtained  in  the  obvious  way.  It  is  easy  to  derive  <^s  from  the  skeleton 
assertion  skel(SMALL),  using  the  rules  for  implication'*. 


^Barringer’s  parallel  shared  variable  program  for  this  problem  assumes  that  insertion  and  deletion  are  separate 
atomic  actions;  it  would  be  easy  to  adapt  our  solution  to  use  these  primitives  instead,  at  the  expense  of  slightly  com¬ 
plicating  the  structure  of  the  assertions  used  in  our  proofs.  Another  difference  between  our  solution  and  Barringer’s 
is  that  the  shared  variable  program  in  [Bar85]  is  not  deadlock- free. 

*The  rule  for  ^-induction  is  used  crucially  in  this  proof,  in  addition  to  the  forward  propagation  rule. 
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n6.[  rmn  &  mx  <  mn  &  rmn  &  mx  >  mn  & 


rmn| 

jrmn 

mx  < 

mn 

true 

mx  < 

mn 

mx  >  mn 

mx>mn  | 

jmi>mn 

mx  < 

mn 

true 

« 

true 

|rmn!=/a/5c 

true 

true 

true 

true 

\doneS',~triie 

true 

^  doneT 

I  doneT 

true 

true 

|mx:=max(5) 

true 

true 

|r7nx:=lrue 

true 

9 


-'doneT 

o 


Figure  9:  An  assertion  for  SMALL 


-<rmn 

o 


] 


28 


Figure  10  shows  an  assertion  satisfied  by  SMALL||LARGE,  using  the  following  abbreviations: 


L 

= 

mi  <  mn 

D 

= 

-idoneS  &  ->doneT 

Ds 

= 

doneS  &  ->doneT 

Dt 

= 

-idoneS  &  doneT 

Dst 

= 

doneS  &  doneT 

R 

= 

-<rmx  &  -irmn 

Rs 

= 

rmx  &  -'vmn 

Rt 

= 

-irmx  &  rmn 

Rst 

= 

rmx  &  rmn 

M 

= 

mi  €  5  n  T  &  mn  6  5  n 

Ms 

= 

mi  €  5  n  T  &  mn  e  S  Ct 

Mt 

= 

mi  e  5  n  T  &  mn  e  5  n 

Mst 

= 

mi  G  5  n  r  &  mn  €  5  D 

Mjnx 

= 

mi  G  S  n  T 

Mfnn 

= 

mn  G  5  n  T 

dS 

= 

doneS 

dT 

doneT 

This  assertion  (Figure  10)  may  be  derived  from  <i>s\\(i>T  by  the  rules  for  implication  in  the  following 
manner.  The  parallel  composition  of  <j>s  and  4>t  implies  a  recursive  assertion  with  the  same  shape 
as  Figure  10,  by  retaining  only  the  relevant  conjuncts  inside  the  assertion  body.  Then  we  conjoin 
the  condition  DURsr^MkL  to  the  root  of  the  first  conjunct  of  the  assertion  body  and  use  the 
rule  for  forward  propagation  to  derive  the  conditions  at  the  remaining  nodes;  similarly,  we  conjoin 
i257'&A/&T  to  the  root  of  the  second  conjunct  and  propagate.  Most  of  the  propagation  steps  are 
obviously  valid. 

We  write  mi  >  5  as  an  abbreviation  for  Vi  e  S.mx  >  i,  and  similarly  for  mn  <  T.  The 
following  condition: 

|5|  =  s  &  |T|  =  t  &  5  n  T  C  {mi,  mn}  &  5  U  T  U  {mi,  mn}  =  A  &  mi  >  5  &  mn  <  T 

is  easily  shown  to  be  a  global  invariant  for  this  program,  since  it  is  clearly  preserved  by  every  atomic 
action  in  the  assertion  of  Figure  10,  given  the  corresponding  pre-condition.  It  may  therefore  be 
conjoined  to  every  node  of  the  assertion  by  forward  propagation.  Let  us  use  the  abbreviation  INV 
for  this  condition. 

The  desired  partial  correctness  property,  and  absence  of  deadlock,  are  then  deducible,  since  we 
have  obtained  a  safe  assertion  with  root  condition  INV  k,  D  h  Rst  &  termination  condition 
INV  h  M  h  L,  and  deadlock  condition  false.  It  is  clear  that  the  initialization  part  of  the  overall 
program  will  terminate  in  a  state  satisfying  INV  k  D  k  Rst  &  M  if  begun  in  a  state  satisfying 
PRE;  and  POST  is  implied  by  the  above  termination  condition. 
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^d\ 

rmn/^ 

D,rTnx,M,  L  D,rmn,M.L 


ik 


^5T.  -W.  L 

\rfnx 


rmi,  M,  L  rmn,  M.  L 

m*>mn/^  \  /  \mx>mn 

mx>my  ^  Nmx>mn  rmx,  M,  L  M,L  rmn,M,L 

D,rmx,M,L  D,M,L  D.rmn,M.  L  rmi\  /  \ 


rmx:=/tt/#e 


rFMP>mT»' 


D,  A/.  I  D,  /?T,  M.  I 

V/,  X 

/  \T:  — mn-fmr  • 


rmn:s/a^4e 

/ 

D,Rs,M.L  DM,L 

5:  — mr+mn^/^ 

D.Rs,Ts,L  D,fmn,M,L  D,M  D,fmx,M,L  D,Rt,Mt,L 

y/'  y/  :=«riie 

Ds,Rs,Ms,L  D,rfnn,M,L  D,rrnn,M  D,rmx,M  D,rmx.MT,L  Dt,Rt,Mt,L 


M.L 

'^x>mn 


ioneS  isztrue  / 


mz>mn^ 
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Figure  10:  An  assertion  satisfied  by  SMALL||LARGE 
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5  Relationship  to  other  proof  systems 


i 


In  this  section  we  place  our  proof  system  in  context  by  examining  its  relationship  with  some  proof 
systems  and  proof  methodologies  proposed  by  other  authors.  We  show  that  the  Owicki-Gries  proof 
rule  can  be  seen  as  being  based  on  a  different  form  of  syntactic  parallel  composition  of  assertions, 
and  that  the  inference  rule  for  parallel  composition  in  the  “generalized  Hoare’s  logic”  of  Lamport 
and  Schneider  can  be  derived  from  our  rule  when  the  assertions  used  in  their  system  are  represented 
appropriately  inside  our  assertion  language.  The  same  is  true  of  the  parallel  proof  rule  in  Gerth’s 
Transition  Logic. 


5.1  The  Owicki-Gries  proof  system 

The  Owicki-Gries  proof  system  used  conventional  pea’s  of  the  form  {/*}  C  {Q},  although  the  parallel 
composition  rule  requires  the  use  of  proof  outlines  as  premisses.  A  proof  outline  is  a  command  text 
annotated  with  conditions,  one  before  and  one  after  each  syntactic  occurrence  of  an  atomic  action. 
At  least  for  sequential  commands,  safe  assertions  in  our  assertion  language  correspond  precisely  with 
such  proof  outlines  because  computations  of  sequential  commands  follow  the  syntactic  structure 
of  the  command.  The  analogy  can  be  extended  to  parallel  commands  too,  although  the  syntactic 
structure  of  a  proof  outline  is  no  longer  so  close  to  that  of  the  corresponding  safe  assertion. 

Owicki’s  parallel  composition  rule  essentially  corresponds  to  a  slightly  different  form  of  parallel 
composition  of  assertions.  This  may  be  defined  as  follows. 

For  4>  =  P'E?=i  OiiPi4>i  and  V)  =  Q  we  put 


n  m 

[4>\\oi>\  =  {PkQ}{Y,<^dP>^Q}[<PiM  +  T>l3j  {PkQj} 

i=l  j=l 

We  also  specify  that 

[Po\\oQi:T=i0jQ:i^j]  =  {PmET=i0:{P^Q:}[P°\\o^:l 

together  with  the  symmetric  versions.  We  also  put 

[p.llog,]  =  {P&g}. 

[P*\\oQo]  =  {P&g}o 
[Po\\oQ*]  =  {PkQ]o 
[PoWoQo]  =  {PkQ}0 

as  before.  However,  this  form  of  composition  does  not  always  produce  an  assertion  which  correctly 
describes  the  behavior  of  a  parallel  composition  of  commands.  We  need  the  notion  of  interference- 
freedom  to  guarantee  this  [OG76]. 


Definition  5.1  The  set  atoms(0)  of  atomic  sub-assertions  of  <t>  is  defined  by  induction  on  the 
depth  of  <i>: 

atoms(Po)  =  atoms(/’*)  =  {} 

atoms(pf;”_i  {Pt}\l  <  i  <  n}  U  U"=i  atoms(<l)i) 

atoms((^i&02)  =  atoms(<^i)  U  atoms((^) 
atoms(0)  =  {} 
dktoms{(i0  .()>)  =  atoms((^). 
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Definition  5.2  Two  assertions  (j>  and  V’  aje  interference-free,  written  int-free(d>,  V’),  iff  for  every 
pair  of  atomic  assertions 


{p}  a  {p'}  6  atoms(<^),  {9}  (3  {g'}  €  atoms(0), 


the  pea’s 

{p&g}  a  {q}  ,  {p&q}  /3  {p}  ,  {p&g'}  a  {9'}  ,  {p'^q}  /3  {p'} 
are  valid.  • 

Theorem  5.3  If  <t>  and  ip  are  interference-free  then 

Cl  sat  4>  ond  [=  C2  sat  ip  imply  |=  [CiWCi]  sat  [d>||oV’]- 

In  view  of  this  result  the  following  inference  rule  is  valid: 

Cl  sat  <p  Co  sat  ip 

-  if  int-fre€(<^,  ip) 

[C1IIC2]  sat  [4>\\oi>] 

Note  that  this  theorem  and  the  proof  rule  are  stated  in  a  form  applicable  to  all  assertions, 
not  just  to  safe  assertions.  This  can,  therefore,  be  regarded  as  a  slight  extension  of  Owicki’s  ideas 
to  encompass  a  more  expressive  assertion  language.  The  following  result  shows  that  interference- 
freedom  guarantees  the  preservation  of  safeness. 

Theorem  5.4  If  <p  arid  ip  are  safe  and  interference- free,  then  [<A|loV’]  safe. 

The  root  and  termination  conditions  of  this  form  of  parallel  composition  satisfy  the  following 
logical  equivalences: 

root(0||ot/r)  =  root(^)  &  root(V') 
term(<^||oVr)  =  term((^)  &  term(V’). 

This  may  be  shown  by  an  inductive  argument.  There  is  then  an  obvious  link  with  Owicki’s  proof 
rule  for  parallel  composition.  This  rule,  taken  from  [OG76],  is: 

proofs  of  {Pi}Ci{Qi},  {P2}C2{Q2}  int-free 

{Pi&P2}(Ci1|C2]{Q,&Q2} 

Now  proof  outlines  for  the  Hoare  assertions  {P«  }C,  {Q,  }  correspond  to  safe  assertions  <pi  such 
that  C,  sat  <pi,  with  root(^,)  =  P,  and  term(0,)  =  Qi.  The  interference-freedom  of  these  proof 
outlines  corresponds  to  interference- freedom  of  <pi  and  <p2-  Then  [4>i\\o4>2]  is  a  safe  assertion  satisfied 
by  [C1IIC2],  and  has  root  P1&P2  and  termination  condition  Q\kQ2-  Thus,  a  proof  using  Owicki’s 
rule  can  be  represented  in  our  system  using  the  above  inference  rule  for  (p\\o‘P- 

Auxiliary  variables  and  auxiliary  critical  regions 

It  is  well  known  [OG76]  that  a  proof  system  using  the  Owicki-Gries  proof  rule  for  parallel  compo¬ 
sition  is  not  complete  for  partial  correctness  assertions.  As  a  simple  example,  it  is  impossible  even 
to  prove  the  obviously  valid  assertion 

{i  =  0}  [i:=r  +  l||x:=a:  -|-  1]  {i  =  2} 
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using  the  rules  for  parallel  composition  and  assignment  and  the  Rule  of  Consequence  alone.  We 
chose  to  avoid  this  problem  by  introducing  conjunctions  and  implication.  Owicki  achieved  com¬ 
pleteness  by  adding  “auxiliary  variables”  to  programs  and  adding  new  proof  rules  to  allow  their 
use. 

A  set  X  of  identifiers  is  auxiliary  for  a  command  C  if  all  free  occurrences  of  identifiers  from 
this  set  in  C  are  inside  assignments  to  identifiers  also  in  X.  Thus,  for  instance,  for  the  command 

i;=i  -f-  l;y;=2;a;=i 

the  sets  {j/}  ,  {j/,  2}  ,  {a,x}  and  {x,y,z,a}  are  auxiliary,  but  {1}  is  not.  Let  us  write 

C  aux  X 

when  X  is  an  auxiliary  set  of  identifiers  for  C. 

Given  any  set  X  of  identifiers  and  any  command  C,  let  C  \  A  be  the  command  resulting  from 
the  deletion  in  C  of  all  assignments  to  identifiers  in  A.  It  is  clear  that  if  .Y  is  auxiliary  for  C  then 
C\X  has  the  same  partial  correctness  effect  on  identifiers  outside  X  hs  C  does,  and  C  \  X  leaves 
the  values  of  all  identifiers  in  X  fixed. 

Let  free[[P,Q]]stand  for  the  set  of  identifiers  having  a  free  occurrence  in  either  P  01  Q.  Owicki’s 
auxiliary  variables  rule  is: 

{P}C{Q} 

— — ! - — —  if  C  aux  A  &  freeffP,  Q]]n  JY  =  {}. 

{P}C\A{Q} 

In  addition  to  this  rule,  for  completeness  of  the  Owicki  proof  system  one  also  needs  a  rule  for 
eliminating  “unnecessary”  critical  regions  and  irrelevant  atomic  actions  which  have  been  inserted 
merely  to  cope  with  auxiliary  variables. 

As  an  example,  we  can  now  prove  (as  in  [OG76])  the  assertion 

{x  =  0}  [x:=x  -i-  l||x:=x  -|-  1]  {x  =  2} 

by  first  introducing  auxiliary  variables  a  and  b  to  tag  the  two  assignments  and  establishing  the 
assertion 

{x  =  0}  a:=0;  6:=0;  [(a:=l;  x:=x  -|-  l)jj{6:=l;  x:=x  -f  1)]  {x  =  2}  . 

Then  we  eliminate  the  auxiliary  variables  and  the  extra  critical  regions.  This  augmented  assertion 
can  be  proved  by  first  proving  the  following  assertions  for  the  two  parallel  components: 

{Pa}  (a:=l;  x:=x  -|-  1)  {Qa}  , 

{P6}{^:=1;  x:=x-t-  1)  {(?(,}, 

wh6r€ 

Pa  =  (6  =  0  &  X  =  0)  V  (6  =  1  &  X  =  1), 

Qa  =  (6  =  0&  x=  l&  a=l)V(6=l&x  =  2&  a  =  l), 

P(,  =  (a  =  0&  x  =  0)V(a=l&x=l), 

Qk  =  (a  =  0&  x  =  l&  6=  l)V(a=l&x  =  2&  6=:l). 

These  two  proof  outlines  are  interference-free  (this  requires  the  verification  of  four  conditions),  and 
their  use  in  the  parallel  rule  enables  us  to  conclude 

{Pa  &  Pb}  [(a:=l;  x:=x  -f-  l)l|(6:=l;  x:=i  =  1)]  {Qa  &  Qb}  ■ 
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Since  we  have 


{i  =  0} a:=0;  6:=0 {x  =  0fca  =  0&  6  =  0}, 

I  =  0&  a  =  0&  6  =  0  =>  Pa  ^  Qai 
Qa  ^  Qb  =>  X  =  2, 

the  desired  result  follows  by  the  usual  Hoare  rules  for  sequential  composition  and  the  Rule  of 
Consequence.  In  contrast,  the  desired  ncda  is  deducible  in  our  proof  system  by  means  of  conjunction 
and  the  parallel  composition  rule,  w  aout  needing  to  modify  the  program  text. 

Owicki  and  Cries  suggested  a  method  of  proving  deadlock- freedom  for  a  parallel  program  by 
means  of  a  global  invariant  P  such  that  P  is  false  in  all  deadlock  states.  The  verification  that 
P  is  indeed  false  in  deadlock  states,  and  the  calculation  of  the  set  of  possible  deadlock  states  (or 
a  syntactically  determinable  superset  of  the  set  of  potential  deadlock  states),  is  performed  in  a 
separate  phase  of  the  analysis.  In  a  sense,  then,  this  kind  of  methodology  requires  stepping  outside 
of  the  proof  system  and  performing  a  “meta-analysis”.  In  contrast,  our  assertion  language  can 
express  deadlock  properties  directly  and  one  can  carry  out  reasoning  about  both  partial  correctness 
and  deadlock- freedom  entirely  within  the  proof  system. 

5.2  Lamport’s  proof  rules 

Lamport  [LamSO]  proposed  using  assertions  of  the  form  {P}  C  {Q}  with  the  interpretation  that  in 
every  execution  which  starts  somewhere  inside  C  with  P  true,  P  remains  true  until  C  terminates, 
when  Q  will  be  true;  in  particular,  it  follows  that  P  implies  Q.  Such  an  assertion  corresponds  to  one 
of  our  transition  assertions  which  each  Pi  (and  all  other  intermediate  conditions) 

are  identical  to  P  and  all  leaf  conditions  are  identical  to  Q.  The  proof  rule  for  parallel  composition 
given  in  [LamSO]  was: 

{P}Ci{Q}  {P}C2{Q) 

{P)[Cx\\C2]{Q) 

But  our  definition  of  parallel  composition  of  assertions  preserves  this  uniformity  property:  the 
parallel  composition  of  (the  assertions  representing)  {P}C\  {Q}  and  {P)C2{Q)  will  again  have 
leaf  Q  and  each  intermediate  condition  will  be  P.  (In  fact,  this  uniformity  property  is  preserved 
both  by  our  ||  and  by  the  other  form  Ho)-  Thus,  Lamport’s  rule  is  derivable  from  our  rule  for 
parallel  composition. 

Instead  of  adding  auxiliary  variables,  Lamport  suggested  the  use  of  program  labels  such  as  A, 
for  the  control  points  of  a  program,  and  including  in  the  condition  language  expressions  of  the 
form  at(A),  inside(A),  after(A).  Lamport’s  system  requires  reasoning  about  control  points  and  the 
flow  of  control  between  them.  Since  in  a  Lamport-style  assertion  the  same  P  has  to  represent 
more  than  one  control  point  at  a  time,  the  conditions  can  get  rather  large:  typically,  P  takes  the 
form  of  a  conjunction  like  ^  Indeed,  it  could  be  argued  that  since  the  same  P  is 

serving  a  multitude  of  purposes  it  is  natural  to  split  it  up  into  its  components  and  to  attach  these 
components  to  the  control  points  at  which  they  are  intended  to  hold;  this  is  more  in  line  with  our 
notation,  with  control  points  corresponding  to  nodes  in  a  tree. 

The  Generalized  Hoare  Logic  of  Lamport  and  Schneider  [LS84]  used  a  similar  type  of  assertion  to 
those  of  [LamSO],  except  that  they  insisted  that  the  post-condition  coincide  with  the  pre-condition: 
they  used  invariant  assertions  {P}C  {P}.  The  interpretation  is  as  before,  that  whenever  an  exe¬ 
cution  begins  somewhere  inside  C  with  P  true,  P  will  remain  true  until  termination.  Again,  their 
proof  rule  for  parallel  composition  (essentially,  a  special  case  of  the  one  from  [LamSO],  given  above) 
is  representable  in  our  system.  Again,  control  conditions  are  used  inside  invariants,  so  that  an 
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invariant  is  really  serving  a  multitude  of  purposes  and  could  profitably  be  split  up  and  distributed 
to  the  separate  control  points. 

5.3  Gerth’s  Transition  Logic 

The  Transition  Logic  of  Gerth  [Ger83]  also  has  some  connection  with  our  work.  Gerth’s  assertions, 
written  [P]C[Q],  are  interpreted:  every  transition  that  begins  somewhere  in  C  from  a  state  satisfy¬ 
ing  P  ends  in  a  state  satisfying  Q.  Again,  the  conditions  need  to  involve  control  point  expressions. 
Gerth’s  rule  for  parallel  composition  is: 

[P]C,[Q]  [P\C^[Q] 

[P][Ci\\C2][Q]. 

But  the  assertion  [P]C[Q]  can  again  be  rendered  in  our  assertion  language  as  an  assertion  with 
a  simple  structure  (alternating  P  and  Q  along  each  branch),  and  again  our  parallel  composition 
of  assertions  has  the  required  effect,  producing  an  assertion  representating  [P][C\\\C2\[Q]  from 
representations  of  [P\Ci[Q\  and  [PjCjfQ].  This  means  that  Gerth’s  rule  can  be  derived  in  our 
system. 

5.4  Other  related  work 

The  proof  methodology  ?.ud  program  development  method  advocated  by  Jones  [Jon83]  uses  rely  and 
guarantee  conditions  in  addition  to  pre-  and  post-conditions.  Roughly  speaking,  a  rely  condition 
corresponds  to  a  rre-condition  assumed  by  every  atomic  action  in  an  assertion,  and  a  guarantee 
condition  is  impbed  by  all  post-conditions  of  the  relevant  atomic  actions. 

Stirling  describes  a  compositional  reformulation  of  the  Owicki-Gries  logic  involving  Hoare  quin¬ 
tuples  (r.  A)  I-  {P}  C  {Q},  where  F  and  A  are  sets  of  first-order  conditions.  He  employs  a  proof 
rule  for  parallel  composition  which  does  not  need  an  interference- freedom  side  condition;  instead, 
the  rule  may  only  be  applied  when  a  simple  “interlocking”  constraint  is  satisfied.  This  system  still 
requires  an  auxiliary  variables  rule. 

Other  authors,  for  example  [BKP84,  MP82],  have  proposed  compositional  proof  systems  for 
concurrent  programs  in  which  the  underlying  assertions  are  temporal  in  nature.  In  contrast  to  these 
mcchods,  we  have  avoided  temporal  assertions  at  the  expense  of  using  conjunction  and  implication 
as  operations  on  more  highly  structured  assertions  built  from  conventional  pre-  and  post-conditions. 
We  still  obtained  a  compositional  proof  system.  In  fact,  our  assertions  do  have  some  similarity  with 
cemporal  logic  in  the  sense  that  an  assertion  has  built  into  it  a  specification  of  the  possible  atomic 
actions  and  the  behavior  of  the  command  after  each  of  them,  so  that  one  could  indeed  represent 
one  of  our  assertions  (/>  in  a  more  conventional  temporal  or  dynamic  logic. 

6  Conclusions 

We  have  demonstrated  a  new  proof  methodology  for  shared  variable  parallel  programs  which,  unlike 
earlier  proof  systems  of  [LG81,  OG76],  does  not  require  the  manipulation  of  auxiliary  variables 
purely  for  proof-theoretical  purposes  and  which  does  not  require  a  notion  of  interference-freedom 
to  guarantee  soundness.  However,  we  do  not  claim  that  we  have  found  a  panacea.  Just  as  it  is 
necessary  to  exercise  skill  in  the  choice  and  use  of  auxiliary  variables  in  Owicki’s  system,  our  system 
requires  a  judicious  choice  of  conjunctions.  Moreover,  our  proof  system  exhibits  the  problems 
inherent  in  our  underlying  programming  language.  In  particular,  since  parallel  commands  may 
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share  variables  and  their  interaction  can  be  extremely  complex,  it  may  be  prohibitively  difficult 
to  keep  track  of  the  various  threads  of  control  when  trying  to  reason  about  programs.  This  is 
true  of  informal  attempts  as  well  as  of  formal  methods  using  any  of  the  proposed  proof  systems, 
ours  included.  Specifically,  as  is  well  known,  the  state  space  of  a  parallel  program  may  grow 
exponentially  with  the  number  of  parallel  components;  this  manifests  itself  in  our  methodology 
with  a  possibly  exponential  growth  in  assertion  size.  Similar  drawbacks  plague  other  approaches, 
although  sometimes  manifested  in  different  ways.  For  example,  in  the  Owicki-Gries  methodology 
the  number  of  side-conditions  that  need  to  be  verified  to  establish  interference- freedom  may  be 
large,  and  in  Lamport’s  generalized  Hoare  Logic  the  global  invariant  may  itself  be  large  since  it 
must  typically  contain  a  conjunct  for  each  combination  of  control  points.  It  would  be  worthwhile 
to  develop  machine- assisted  tools  to  help  deal  with  these  problems. 

In  favor  of  our  approach  we  note  that  a  careful  choice  of  transition  assertion  proof  may  reduce 
the  number  of  interactions  between  program  fragments  that  need  to  be  considered,  because  we 
need  only  take  into  account  potential  interference  between  program  phrases  which  actually  may  be 
executed  in  parallel  dynamically,  since  the  assertion  structure  is  detailed  enough  to  permit  these 
cases  to  be  determined.  Thus,  for  example,  in  the  Set  Partition  program  we  never  needed  to  analyze 
the  effect  of  actions  in  the  second  part  of  SMALL’s  loop  body  on  pre-  or  post-conditions  used  in 
the  first  part  of  LARGE’s  loop  body.  In  contrast,  a  proof  using  interference-freedom  matches  up 
for  such  an  analysis  all  pairs  of  atomic  actions  occurring  in  the  text  of  the  two  processes. 

Our  assertion  language  was  chosen  to  permit  reasoning  about  deadlock  and  partial  correct¬ 
ness  together,  and  by  basing  it  on  a  resumption-style  semantics  we  end  up  with  tree-structured 
assertions.  This  means  that  the  assertion  language  is  rather  expressive,  and  it  could  perhaps  be 
argued  that  it  is  too  expressive:  it  allows  us  make  certain  logical  distinctions  between  program 
phrases  which  are  actually  irrelevant  to  the  generalized  partial  correctness  and  deadlock  properties 
of  program  built  from  those  phrases.  For  instance,  the  commands  skip  and  skip;  skip  satisfy 
exactly  the  same  generalized  pea’s  but  not  the  same  transition  assertions.  This  issue  is  related 
to  the  full  abstraction  problem  for  our  programming  language  [HP79].  It  would  be  interesting  to 
investigate  the  possibility  of  basing  a  proof  methodology  on  a  streamlined  version  of  our  assertion 
language,  in  which  irrelevant  skip  actions  are  absorbed.  Moreover,  although  we  made  the  syntax  of 
atomic  actions  explicit  in  the  assertion  structure,  this  was  largely  done  to  improve  the  readability 
of  assertions  and  is  not  really  necessary  for  axiomatic  purposes. 

Similar  ideas  to  those  used  in  this  paper  may  be  adopted  in  an  axiomatic  treatment  of  other 
forms  of  parallel  programming.  In  particular,  a  communication- based  distributed  programming 
language  such  as  CSP  [Hoa78]  may  be  axiomatized  if  we  modify  the  class  of  assertions  to  represent 
the  potential  for  communication  and  if  we  design  a  suitable  parallel  composition  of  assertions. 
When  adapting  these  ideas  to  a  language  like  CSP  it  becomes  vital  to  record  at  least  a  vestige  of 
the  syntax  of  actions  in  assertion  structure,  so  that  we  may  ensure  that  parallel  composition  of 
assertions  models  synchronization  appropriately.  An  outline  of  such  an  axiomatization  is  presented 
in  [Bro86],  and  we  plan  to  develop  this  further  and  to  place  this  work  in  the  context  of  existing 
proof  systems  for  CSP  based  on  the  Owicki-Gries  style  [AFdR80,  LG81]. 
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Appendix:  Remarks  on  Relative  Completeness 

We  have  shown  that  the  proof  system  introduced  in  this  paper  is  sound,  with  justification  provided 
by  reference  to  the  underlying  operational  semantics.  In  other  words,  whenever  C  sat  is  provable 
■»  it  follows  that  4>  correctly  describes  (some  aspect  of)  the  operational  behavior  of  C.  The  proof 

system  is  not  complete,  for  a  rather  trivial  reason:  every  command  satisfies  an  assertion  4>  whose 
root  is  false,  but  this  is  not  deducible  from  the  above  rules.  One  solution  is  to  add  a  logical  rule 
•  to  this  effect: 

-•root(<^) 

C  sat  4> 

Such  a  rule  is  obviously  sound,. but  plays  no  useful  role  in  program  verification. 

We  are  primarily  interested  in  this  paper  in  the  derivation  of  valid  pcda’s.  As  is  the  case  for 
Hoare’s  original  logic,  the  best  we  can  achieve  is  relative  completeness,  or  completeness  in  the  sense 
of  Cook.  Let  Th  be  the  set  of  valid  conditions.  We  write 

Th  h  C  sat  <f> 

if  C  sat  (f>  can  be  proved  using  assumptions  from  Th.  We  assume  that  the  condition  language  is 
expressive,  in  that  for  every  command  C  and  every  condition  Q  there  is  a  condition  P  expressing 
the  weakest  pre-condition  for  C  and  Q,  or  equivalently,  for  every  command  and  every  condition 
the  strongest  post-condition  is  expressible  in  the  condition  language. 

Theorem  6.1  For  every  valid  pcda  {P}C  {Q}[.R]  there  is  a  safe  assertion  4>  for  which  Th  K 
C  sat  <f>  and  P  =>  root{(t>),  term{<f>)  =>  Q,  and  dead{4>)  =>•  R. 

The  key  idea  in  the  proof  of  this  result  is  to  generalize  the  notion  of  strongest  post-condition  to 
the  parallel  setting.  We  have  already  introduce  safe  assertions,  program  skeletons,  and  the  forward 
propagation  rule.  It  is  easy  to  show  that  for  every  command  C  the  assertion  skel(C)  is  provable 
from  our  axioms  and  rules.  One  can  then  show  that  every  valid  pcda  {P}  C  {Q}  [i?]  may  be  derived, 
using  rules  for  implication  (including  forward  propagation)  from  skel(C).  One  way  to  do  this  is  to 
systematically  transform  the  assertion  skel(C)  from  the  root  downwards  to  propagate  P  as  follows. 
Since  this  is  essentially  forward  propagation  of  strongest  post-conditions,  we  refer  to  the  resulting 
assertion  as  the  strongest  post-assertion  of  C  and  P. 

Definition  6.2  Let  spc(P,  a)  denote  the  strongest  post-condition  for  atomic  action  a  and  pre¬ 
condition  P.  The  strongest  post-assertion  of  <t>  and  P  is  defined  by  induction  on  the  syntactic 
structure  of  4>: 

spa(P,Qo)  =  {F  &  Q}o 

spa(F,Q«)  =  {F  &  Q}* 

spa(F,QXI?=i«.Q.^i)  =  {P  ^  Q}Er=i«.{^i}spa(F„</),) 

spa(F,<^i  k  4>2)  =  spa(F,d>i)  &  spa(F,d>2) 

,  spa(/x0.d>)  =  p,0.spa{P,4>) 

spa(F,^)  =  9, 

where  each  Ri  is  of  form  spc(F  k  Q,ai).  • 

Intuitively,  the  assertion  spa(F,skel(C))  is  the  strongest  safe  assertion  with  root  condition  F 
that  C  ScMsfies.  It  is  clear  that  since  C  sat  skel(C)  is  provable,  so  is  C  sat  spa(F,  skel(C)). 
If  {P)C{  v}[i2]  is  valid  it  will  then  be  deducible  from  this  strongest  post-assertion,  since  the 
termination  condition  of  spa(F,skel(C))  will  imply  Q  and  the  deadlock  condition  of  spa(F,  skel(C)) 
will  imply  R. 
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